Minimum Security Standard: Applications

Systems that store, process, or access Sensitive data should be patched within two weeks of a security update addressing a Critical or High vulnerability becoming available. Systems that store, process, or access Restricted or Public data should be patched within four weeks of a security update addressing a Critical or High vulnerability becoming available.

✓

✓

✓

ITSO conducts monthly scans, which may uncover vulnerabilities on hosts or applications. Departments should use Security Center to identify and remediate vulnerabilities. Remediate Critical and High vulnerabilities within 14 days. Do not explicitly block our vulnerability scanning.

✓

✓

✓

Permit the minimum necessary services through any departmental network firewalls and/or host-based protections.

✓

✓

✓

Review existing accounts and privileges annually. Enforce password complexity. Web application logins with credentials via SAML required.

✓

✓

✓

Require multi-factor authentication for all administrator logins (PRS) and interactive users of RS applications.

✓

✓

✓

Forward logs to a remote log server. University IT Splunk service recommended.

–

✓

✓

Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended.

–

✓

✓

Join and monitor security and development lists to receive notification of updates.

–

✓

✓

Regular backup and encryption is recommended. Note that not all Sensitive or Restricted application data is permitted to be backed up.

–

✓

✓

Use separate administrative and personal accounts. Manage group passwords with a password manager.

–

✓

✓

Request a Vendor Risk Assessment prior to signing a contract or renewing an unreviewed contract with a vendor.

–

✓

✓

Implement PCI DSS, HIPAA, or export controls as applicable.

–

–

✓